Where does HIPAA go? Wherever it wants.

The GAO just issued another assessment of HHS's and ONCHIT's progress in identifying and addressing key HIPAA and other health IT related privacy issues, and developing an overall approach to HIT privacy.  The federales — not known for nimbleness — have made significant progress, but have not yet fully addressed all of the issues on this front tagged by GAO in its Febuary 2007 HIT report.  In GAO-speak:

This assessment may, in fact, be too kind.  The federales' June 2008 HIT strategic plan, though full of privacy and security objectives, strategies and compliance, has been critiqued by some observers as being somewhat out of touch with reality.  There's a lot further to go.

In related privacy news, HHS released some HIPAA FAQs this week — two information sheets, one directed at consumers and one at providers.  No new information there, but perhaps they will be useful in eliminating basic HIPAA confusion in some quarters.  HIPAA should no longer the universal excuse for being unable to provide information to or about a patient, or to agree to a particular provision while negotiating a deal (though it's still proffered as an excuse sometimes, as is Stark and Sarbanes-Oxley, usually more because a party to a negotiation just doesn't want to agree to a particular contract term and is seeking to hang their hat on some external factor).

Moving from HIPAA privacy to HIPAA security: Another recent development is the release of a new health informatics information security management standard by the ISO.  Quoth the press release:

It remains for someone better-versed in the technical end of things than I am to assess whether ISO compliance and HIPAA compliance could dovetail neatly in a manner that may yield more reliable protections for health information security, or whether this ISO standard will be a wrench thrown in the works of evolving HIPAA security rule compliance.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting